Building Secure Applications
James TedrickWhat We’re Covering Today: Accessing ArcGIS Resources
Portal ArcGIS ArcGIS ServerWeb App Mobile App Server Topics covered:
• Using Token endpoints • Using OAuth/SAML
• User login • App login
Other session topics not covered:
• Securing Services • Designing Enterprise
Security Strategy
What We’re Covering Today: Accessing ArcGIS Resources
Portal ArcGIS ArcGIS ServerWeb App Mobile App Server Token Generation
• Portal for ArcGIS • ArcGIS Server
• ArcGIS Online (legacy)
SAML/OAuth 2.0 • ArcGIS Online • User login • App login • Different workflows depending on application
Security Configuration
Portal ArcGIS
ArcGIS Server
• Outside direct developer control • Configured by GIS Admin • Specific to a given GIS site • Occurs at differing levels
• Application (ArcGIS Server) • Web Server (IIS)
• Verifies against a user store
• ArcGIS for Server internal store • AGO/Portal internal store
• External (Active Directory / LDAP) • Groups/roles can be stored elsewhere
ArcGIS Platform Security Locations
Data Application (Server/Portal) Web Internet
Web Tier
Application Tier: Server Application Tier: Portal Federated Server Server Portal Web Adaptor
Web Tier Authentication
• Web Server (IIS / Tomcat) authenticates on request • Web Adaptor / reverse proxy
• Identity is transmitted from web tier to application tier • Requires ArcGIS Server to have SSL enabled
• Configuration:
- ArcGIS Server – set to ‘web tier’ authentication - IIS / Tomcat – disable anonymous access
• Login types
- Integrated Windows Authentication (IWA) – Windows login ID - Basic / Digest – username/password dialog
Single Sign On (SSO)
• Integrated Windows Authentication (IWA)
- Sign in once to Windows (i.e., login to your computer) - Supporting apps supplied with Windows credentials
• ArcGIS Online / Portal for ArcGIS / Server
Public Key Infrastructure (PKI)
• Federal identity standard
• 2 Factor authentication (Card & PIN)
- CAC card contains certificate
- User supplies PIN that is matched against card, certificate is forwarded to application
• Issues
- HTTPS required
Application level authentication
• Default for ArcGIS products
• Web server MUST be configured for anonymous access
• Authentication handled by services shipped with ArcGIS for Server / Portal • ArcGIS Servers federated to Portal rely on Portal’s authentication results for
Token Authentication
• After username / password submission, receive token string • Use token with all REST requests as the ‘token’ parameter • Tokens have a set lifetime (default/requested length)
• Token Generation URLs:
- Portal Tokens: ArcGIS Online, Portal for ArcGIS, Federated ArcGIS for Server <PORTAL URL>/sharing/generateToken (e.g.,
http://myportal.mycompany.com/portal/sharing/generateToken) - Server Tokens: ArcGIS for Server
IdentityManager
• Uniform class across web APIs for logging in
• Automatically handles login process for all secured
services
• Updates tokens to keep access current • Issues:
- Only for services with token-based security - Presents multiple dialogs (1/server)
Embedding Authentication
• Token lifespan – can be set during request
• Token embedded within proxy – expose secured services
• ArcGIS Online & Portal can store credentials and proxy on demand
• Enables secured resources to be
displayed anonymously through select channels (using 2+ web adaptors)
• Service with embedded authentication
Identity Manager
Proxies
SAML & OAuth:
ArcGIS Online
SAML - Security Assertion Markup Language
• Separates Authentication (login) from Resources
(AGO)
• ArcGIS Online can use an organization’s login
information (i.e., Active Directory)
• Set up:
- ArcGIS Online (AGO org admin) - Login provider (enterprise admin)
• Enables Single Sign-On into ArcGIS Online
• From app developer perspective, process is uniform-
you interact with ArcGIS Online, not the identity provider
OAuth
• Differentiates between application server, authentication
server
• Authentication server logs user in, checks for user
acceptance of application
• Application server does not see username/password as
they are entered
OAuth logins workflows
• User login – User needs their own an ArcGIS Online account • Application login – Users uses your ArcGIS Online account • 2 endpoints used in processes
- https://www.arcgis.com/sharing/oauth2/authorize - https://www.arcgis.com/sharing/outh2/token
OAuth login key properties
• Set up in ArcGIS Online’s Item Content or Developer Dashboard
- redirect_uri – resource to load when presenting new credentials - appId – unique ID of application in ArcGIS Online
- appSecret – secret key used with appId (appId’s ‘password’)
• appSecret should never be exposed to user
- Including embedded in mobile application
Registering an app
OAuth logins – User logins
• Access user’s data & maps • Tasks consume user’s credits
• Logins can be either ArcGIS or Enterprise (i.e., Active Directory, LDAP) • Process by application type:
- Login in HTML/JS – 1 step (implicit grant)
1. Access /authorize, load resulting redirect containing token
- Login at application (iOS/Android) or web server (.Net/PHP) – 2 step (authorization grant)
1. Access /authorize, load resulting redirect with authorization code 2. Access /token with code, receive token
• ArcGIS Online does not contact Identity Provider directly
• Identity Provider only needs to be
seen by the client, not the internet
Warning:
Simplified Diagrams Ahead
ArcGIS Online
Your application server
All communication between ArcGIS Online and Identity Management occurs via client through redirects URLs 5* 3* Identity Provider 3 5
4. User logs in using login system 5. Login system authorizes user to AGO
6. ArcGIS Online gives application an access by loading redirect_uri with access token appended
User Login – Web Applications
ArcGIS Online
Your application server
1
6 2
1. Application loads into client
2. Application requests authorization by opening
https://www.arcgis.com/sharing/oauth2/authorize
3. ArcGIS Online redirects to organization login
5* 4
3*
User login
4. Login system redirects browser, providing authorization code
5. Application captures authorization code 6. Application requests access token from AGO
https://www.arcgis.com/sharing/outh2/token
7. AGO provides token
User Login – Desktop/Device App
ArcGIS Online
1. Through an embedded web browser, application requests authorization by opening
https://www.arcgis.com/sharing/oauth2/authorize
2. ArcGIS Online redirects to organization login page 3. User logs in using login system
1 3 4 5 6 7 2* Identity Management
5. Login system redirects browser, providing authorization code as uri parameter
6. Server gets authorization code from uri 7. Application requests access token from AGO
https://www.arcgis.com/sharing/outh2/token
8. AGO provides token
User Login – Server Applications
ArcGIS Online
Your application server
Identity Management
1. Application loads into client
2. Application requests authorization by opening
https://www.arcgis.com/sharing/oauth2/authorize
3. ArcGIS Online redirects to organization login page 4. User logs in using login system
2 4 5 1 6 7 8 3*
Application Login
• Uses appID, appSecret as application ‘username’ & ‘password’
• User is never aware of ArcGIS Online (aside from the documentation J) • Developer’s responsibility to provide access controls
- Otherwise, you’re offering your credits to everyone!
• What you can do:
- Access AGO tasks (Geocoding, routing, etc.)
- Access application owner’s private items stored in ArcGIS Online - Search public items in ArcGIS Online ( NOT Organizational )
4. Client requests an operation that makes use of AGO resources
5. Server requests resources with token 6. ArcGIS Online provides response
7. Possible further processing; response is delivered to client
Application Login
ArcGIS Online
Your application server
1. Application requests authorization by opening
https://www.arcgis.com/sharing/oauth2/token
(normally done independent of user interactions) 2. ArcGIS Online provides a token
3. Application loads into client 7
4 1 2 5 6 3
Application Login
Resources
• Presentation Samples:
- IdentityManager Information:
https://developers.arcgis.com/javascript/jsapi/identitymanager-amd.html
- Proxy Information: https://developers.arcgis.com/javascript/jshelp/ags_proxy.html - OAuth User Login:
https://developers.arcgis.com/en/javascript/jssamples/portal_oauth_inline.html
- Application Login demo: https://github.com/tedrick/appIDexample
• Developer Page: https://developers.arcgis.com/en/authentication/index.html • JS Application Boilerplate: https://github.com/Esri/application-boilerplate-js • JS Sample: iOS Sample: https://github.com/Esri/OAuth2-Demo-iOS
